Reduce nginx SSL handshake latency

Im trying to setup a very simple and fast reverse proxy with nginx. One thing that surprised me is that using my own certificate with nginx and receiving raw tcp at first requests are very similar (about ~300ms) but the next requests are actually much slower than fly’s TLS handler (which suddenly starts to process SSL in ~85ms). So, I wonder if there is some magic behind the fly’s network or if there is something I can do with my settings.

I already tried the following:

ssl_session_cache shared:SSL:15m;
ssl_session_timeout 15m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_early_data on;

Im already using exactly same type of certificate and processing with the same crypto algorithms as Fly.

How far is your nginx server from where you’re testing? We do TLS at all the edges, so the speed difference could just be the difference in latency to our edge servers and to your nginx.

If you visit you can see where we’re doing TLS for you. The headers section has a Fly-Region. If you run your nginx on Fly in that region, you may get closer in speed :

Thank you !
I was testing with the containers at Chile (which is the closest available for now) but I didnt know that the Brazil’s servers (which is much closer than Chile) are already routing SSL traffic - just spent hours at an unfair competition lol.

Oooh! Yes that would do it. Sao Paulo to Chile is not a great internet route, it might even be faster in Atlanta if you want to do your own SSL (until we get Sao Paulo running).

Hm just tested here and Im getting ~500 ms with TLS handshake from São Paulo to Atlanta. (I confess that Im more surprised with the latency to scl being lower than the opposite).

You are right. I just checked our internal ping times and it’s ~47ms between Sao Paul and Santiago, then ~110ms to New York / Virginia / Atlanta. Seems like we have better connectivity between Sao Paulo and Santiago than I thought!

1 Like